Yuav thov li cas rau Let's Encrypt? Let's Encrypt SSL Free Certificate Principle & Installation Tutorial

Yuav thov li cas rau Let's Encrypt?

Wb Encrypt SSL Certificate Principple & Installation Tutorial

SSL yog dab tsi?Chen WeiliangHauv tsab xov xwm dhau los "Qhov txawv ntawm http vs https yog dab tsi? Cov lus piav qhia ntxaws txog txheej txheem SSL encryption"Nws yog hais nyob rau hauv".

sib nrug los ntawmE-kev lag luamNtxiv rau kev yuav ib daim ntawv pov thawj SSL siab heev, lub vev xaib yuav tsum tau siv rau WeChatPublic account promotionntawmxov xwm tshiabCov neeg, yog tias koj xav nruab ib daim ntawv pov thawj SSL, koj tuaj yeem nruab ib daim ntawv pov thawj SSL uas tau muab zais dawb, uas yog qhov zoo rauSEONws muaj txiaj ntsig thiab tuaj yeem txhim kho qhov qeb duas ntawm lub vev xaib cov ntsiab lus hauv kev tshawb fawb xyaw.

Wb Encrypt nws tus kheej tau sau ib txheej txheej txheem (https://certbot.eff.org/), sivLinuxCov phooj ywg, koj tuaj yeem xa mus rau cov txheej txheem no thiab ua raws li cov lus qhia no.

Ua ntej rub tawm lub cuab yeej certbot-auto, thiab tom qab ntawd khiav lub cuab yeej kev teeb tsa raws li cov khoom siv.

wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

Tsim daim ntawv pov thawj SSL

Tom ntej no, pib nrogChen WeiliangSiv lub npe blog sau ua piv txwv, thov hloov kho raws li koj xav tau. Khiav cov lus txib hauv qab no ntawm SSH.

Thov nco ntsoov hloov cov lus txib:

1. Lub thawv xa ntawv
2. Server path
3. lub website domain name

Ib daim ntawv teev npe sau npe, tsim daim ntawv pov thawj:

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com

Multi-domain list directory, tsim ib daim ntawv pov thawj: (piv txwv li ntau lub npe sau npe, ib daim ntawv teev npe, siv tib daim ntawv pov thawj)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com

Daim ntawv pov thawj SSL generated yuav raug cawm hauv:/etc/letsencrypt/live/www.chenweiliang.com/ Hauv qab cov ntsiab lus.

Ntau lub npe sau npe thiab ntau lub npe, tsim ib daim ntawv pov thawj: (piv txwv li ntau lub npe sau npe, ntau cov npe, siv tib daim ntawv pov thawj)

./certbot-auto certonly --email [email protected] --agree-tos --no-eff-email --webroot -w /home/admin/web/chenweiliang.com/public_html -d www.chenweiliang.com -d img.chenweiliang.com -w /home/eloha/public_html/site/etufo.org -d www.etufo.org -d img.etufo.org

Tom qab ua tiav kev txhim kho Let's Encrypt daim ntawv pov thawj, cov lus hauv qab no SSH yuav tshwm sim:

LUS TSEEM CEEB:
- Zoo siab koj daim ntawv pov thawj thiab chain tau txais kev cawmdim ntawm:
/etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem
Koj cov ntaub ntawv tseem ceeb tau raug cawm ntawm:
/etc/letsencrypt/live/www.chenweiliang.com/privkey.pem
Koj daim ntawv pov thawj yuav tas rau 2018-02-26. Kom tau txais ib qho tshiab lossis tweaked
version ntawm daim ntawv pov thawj no yav tom ntej, tsuas yog khiav certbot-auto
Ib zaug ntxiv, Txhawm rau tsis cuam tshuam txuas ntxiv * tag nrho * ntawm koj daim ntawv pov thawj, khiav
"certbot-auto renew"
- Yog tias koj nyiam Certbot, thov xav txog kev txhawb nqa peb txoj haujlwm los ntawm:
Pub dawb rau ISRG / Cia Encrypt: https://letsencrypt.org/donate
Pub rau EFF: https://eff.org/donate-le

Daim ntawv pov thawj SSL txuas ntxiv

Daim ntawv pov thawj txuas ntxiv kuj yog yooj yim heev, sivcrontabUa kev rov ua dua tshiab tsis siv neeg.Yog tias qee tus Debians tsis muaj crontab ntsia, koj tuaj yeem nruab nws ua ntej.

apt-get install cron

Cov lus txib hauv qab no yog rau nginx thiab apache feem. / etc / crontab Cov lus txib nkag rau hauv cov ntaub ntawv txhais tau tias rov ua dua txhua 10 hnub, thiab lub sijhawm siv tau ntawm 90 hnub txaus.

Nginx crontab file, thov ntxiv:

0 3 */10 * * /root/certbot-auto renew --renew-hook "/etc/init.d/nginx reload"

Apache's crontab file, thov ntxiv:

0 3 */10 * * /root/certbot-auto renew --renew-hook "service httpd restart"

SSL Certificate Apache Configuration

Tam sim no, peb yuav tsum hloov kho Apache configuration.

Cov Lus Qhia:

• Yog koj sivCWP Control Vaj Huam Sib Luag, kos Tsis Siv Neeg Tsim SSL daim ntawv pov thawj thaum ntxiv lub npe sau, thiab SSL daim ntawv pov thawj Apache yuav raug teeb tsa.
• Yog tias koj ua ntau cov kauj ruam hauv qab no, qhov yuam kev yuav tshwm sim tom qab rov pib Apache.
• Yog hais tias ib yam dab tsi mus tsis ncaj ncees lawm, rho tawm cov configuration koj ntxiv manually.

Kho cov ntaub ntawv httpd.conf ▼

/usr/local/apache/conf/httpd.conf

Nrhiav ▼

Listen 443

• (Tshem tawm tus lej # hauv pem hauv ntej)

Los yog ntxiv mloog chaw nres nkoj 443 ▼

Listen 443

SSH kos Apache mloog chaw nres nkoj ▼

grep ^Listen /usr/local/apache/conf/httpd.conf

Nrhiav ▼

mod_ssl

• (Tshem tawm tus lej # hauv pem hauv ntej)

los yog ntxiv ▼

LoadModule ssl_module modules/mod_ssl.so

Nrhiav ▼

httpd-ssl

• (Tshem tawm tus lej # hauv pem hauv ntej)

Tom qab ntawd, SSH ua cov lus txib hauv qab no (ceeb toom hloov txoj hauv kev rau koj tus kheej):

at >/usr/local/apache/conf/extra/httpd-ssl.conf<<EOF
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProxyCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/usr/local/apache/logs/ssl_mutex"
EOF

Tom ntej no, thaum kawg ntawm Apache configuration rau lub vev xaib koj tsimhauv qab.

Ntxiv cov ntaub ntawv SSL configuration (ceeb toom kom tshem tawm cov lus thiab hloov txoj hauv kev rau koj tus kheej):

<VirtualHost *:443>
DocumentRoot /home/admin/web/chenweiliang.com/public_html //网站目录
ServerName www.chenweiliang.com:443 //域名
ServerAdmin [email protected] //邮箱
ErrorLog "/var/log/www.chenweiliang.com-error_log" //错误日志
CustomLog "/var/log/www.chenweiliang.com-access_log" common //访问日志
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.chenweiliang.com/fullchain.pem //之前生成的证书
SSLCertificateKeyFile /etc/letsencrypt/live/www.chenweiliang.com/privkey.pem //之前生成的密钥
<Directory "/home/admin/web/chenweiliang.com/public_html"> //网站目录
SetOutputFilter DEFLATE
Options FollowSymLinks
AllowOverride All
suPHP_UserGroup eloha eloha //用户组（有些服务器配置需要，有些可能不需要，出错请删除此行）
Order allow,deny
Allow from all
DirectoryIndex index.html index.phps
</Directory>
</VirtualHost>

Thaum kawg, rov pib dua Apache:

service httpd restart

Apache yuam HTTP redirect HTTPS

• Ntau lub vev xaib thov tuaj yeem ua haujlwm tsuas yog siv SSL.
• Peb yuav tsum xyuas kom meej tias txhua zaus peb siv SSL, peb yuav tsum nkag mus rau lub vev xaib los ntawm SSL.
• Yog tias ib tus neeg siv sim nkag mus rau lub vev xaib siv tsis yog SSL URL, nws yuav tsum raug xa mus rau SSL lub vev xaib.
• Siv Apache mod_rewrite module los hloov mus rau SSL URLs.
• Yog tias koj siv LAMP rau nruab lub pob nrog ib nyem, nws muaj built-in tsis siv neeg installation ntawm SSL daim ntawv pov thawj thiab yuam redirection rau HTTPS thiab redirection rau HTTPS.Hauv quab yuam, tsis tas yuav ntxiv HTTPS redirection.

Ntxiv txoj cai redirect

• Hauv Apache cov ntaub ntawv teeb tsa, kho lub vev xaib virtual host thiab ntxiv cov chaw hauv qab no.
• Koj tuaj yeem ntxiv tib qhov chaw rau cov ntaub ntawv hauv paus ntawm koj lub vev xaib hauv cov ntaub ntawv .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Yog tias koj tsuas xav qhia qee qhov URL kom hloov mus rau HTTPS:

RewriteEngine On
RewriteRule ^message$ https://www.etufo.org/message [R=301,L]

• Yog ib tug neeg sim nkag mus lus , nplooj ntawv yuav dhia mus rau https, thiab cov neeg siv tsuas tuaj yeem nkag mus rau URL siv SSL.

Rov pib Apache kom ua cov ntaub ntawv .htaccess siv tau:

service httpd restart

Ceev faj

• Thov hloov qhov chaw nyob email saum toj no rau koj tus kheej email chaw nyob.
• Thov nco ntsoov hloov lub vev xaib sau npe saum toj no rau koj lub vev xaib sau npe.

Redirect txoj cai qhov teeb meem

Raws li txoj cai pseudo-static, thaum tso redirection dhia txoj cai, koj feem ntau ntsib http tsis tuaj yeem hloov mus rau https Qhov teeb meem.

Thaum xub thawj peb tau theej cov redirect code rau hauv .htaccess thiab nws yuav tshwm sim hauv cov xwm txheej hauv qab no ▼

• [L] qhia tias txoj cai tam sim no yog txoj cai kawg, tsis txhob txheeb xyuas cov cai hauv qab no rov sau dua.
• Yog li thaum nkag mus rau nplooj ntawv redirected, [L] nres cov cai hauv qab no, yog li txoj cai redirection tsis ua haujlwm.

Thaum mus saib http homepage, peb xav kom ua rau URL redirection, hla txoj cai pseudo-static los ua txoj cai redirection dhia, kom nws ua tiav.Site-wide http redirect rau https .

Tsis txhob tso https redirect cov cai hauv [L] Hauv qab cov cai, tso [L] saum toj no cov cai ▼

Kev nyeem ntawv txuas ntxiv:

• Qhov txawv ntawm http vs https yog dab tsi? Cov lus piav qhia ntxaws txog txheej txheem SSL encryption
• Kuv yuav ua li cas yog tias kuv tau txais qhov yuam kev 500 tom qab txhim kho Let's Encrypt SSL daim ntawv pov thawj hauv CWP tswj vaj huam sib luag?
• Cia li dhia mus rau qib thib ob lub npe sau npe yam tsis muaj www sab saum toj-theem sau npe: lub hauv paus sau npe 301 redirects www